Why traditional Internal Controls Testing Fails

The traditional approach to ensuring internal controls are effective is problematic. The normal protocol involves selecting one or more team members to test particular controls on a sporadic basis. The traditional internal audit department is specifically designed with this approach in mind. So what is wrong with this model?

1) Time intensive

The traditional approach is largely manual and that takes a ton of time.

For example, your team is concerned about duplicate payments in your Purchase-to-Pay (P2P) process. On some recurring basis, someone (an internal auditor if you have one):

pulls a random sample of payments from your ERP system,

digs back through payments to see what invoice(s) is(are) being paid for each vendor,

assesses if the same invoice number is paid on more than one payment to that vendor,

gathers original invoices (manually) and compares the line item details of each invoice to see if the same items were charged on more than one invoice.

This one round of P2P testing is certain to take weeks and weeks of work. An internal auditor we work with estimates a good auditor can review 2.5 transactions per day (from selection through investigation & remediation). Thus, if your organization processed only 6,000 payments a year, you want to review approximately 300 transactions (assuming a goal of 95% confidence level & +/- 5% margin of error). That translates into about 30 weeks to do this testing.

2) Delayed

As the traditional approach is so time-consuming and you are busy, these tests are often done infrequently. Thus the auditor is looking at transactions that are months/years old. Meaning when they find a duplicate payment (for example), the likelihood of recovery is greatly diminished.

As evidence of this significant delay, according to a KPMG Fraud & Misconduct survey, it takes 24 months on average to detect procurement fraud; by then 89% of proceeds are unrecoverable.